---

Home Security

Mandrake Linux Advisory: rxvt, openssl

By 
______________________________________________________________________
                Mandrake Linux Security Update Advisory
______________________________________________________________________
Package name:           rxvt
Advisory ID:            MDKSA-2003:034
Date:                   March 25th, 2003
Affected versions:      8.2, 9.0, 9.1, Corporate Server 2.1
______________________________________________________________________
Problem Description:
 Digital Defense Inc. released a paper detailing insecurities in various 
 terminal emulators, including rxvt.  Many of the features supported by 
 these programs can be abused when untrusted data is displayed on the 
 screen.  This abuse can be anything from garbage data being displayed 
 to the screen or a system compromise.
______________________________________________________________________
References:
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0022
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0023
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0066
  http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
______________________________________________________________________
Updated Packages:
  
 Corporate Server 2.1:
 304e14627ae3a96ea7c5a192933d99fb  corporate/2.1/RPMS/rxvt-2.7.8-6.1mdk.i586.rpm
 59dac66b6350a2e303451d9eb91847c6  corporate/2.1/RPMS/rxvt-CJK-2.7.8-6.1mdk.i586.rpm
 d789a865351a2babb0fe373b34e13723  corporate/2.1/RPMS/rxvt-devel-2.7.8-6.1mdk.i586.rpm
 9f5c2791c045dc64fd2671f1a12428a7  corporate/2.1/SRPMS/rxvt-2.7.8-6.1mdk.src.rpm
 Mandrake Linux 8.2:
 91e3e2e65b968aeb18f85cbf15dc82f3  8.2/RPMS/rxvt-2.7.8-6.1mdk.i586.rpm
 5f43a74501bf4d9c56e9001c4121c958  8.2/RPMS/rxvt-CJK-2.7.8-6.1mdk.i586.rpm
 5250f56624c06d73bfaea2949ba14ece  8.2/RPMS/rxvt-devel-2.7.8-6.1mdk.i586.rpm
 9f5c2791c045dc64fd2671f1a12428a7  8.2/SRPMS/rxvt-2.7.8-6.1mdk.src.rpm
 Mandrake Linux 8.2/PPC:
 9fb17d9636fcfa4f9c256751b84e3f21  ppc/8.2/RPMS/rxvt-2.7.8-6.1mdk.ppc.rpm
 575cc88ab594e34806f4f91d756af901  ppc/8.2/RPMS/rxvt-CJK-2.7.8-6.1mdk.ppc.rpm
 2ee2e79c6a99a11b4d9bda7e830fee9d  ppc/8.2/RPMS/rxvt-devel-2.7.8-6.1mdk.ppc.rpm
 9f5c2791c045dc64fd2671f1a12428a7  ppc/8.2/SRPMS/rxvt-2.7.8-6.1mdk.src.rpm
 Mandrake Linux 9.0:
 304e14627ae3a96ea7c5a192933d99fb  9.0/RPMS/rxvt-2.7.8-6.1mdk.i586.rpm
 59dac66b6350a2e303451d9eb91847c6  9.0/RPMS/rxvt-CJK-2.7.8-6.1mdk.i586.rpm
 d789a865351a2babb0fe373b34e13723  9.0/RPMS/rxvt-devel-2.7.8-6.1mdk.i586.rpm
 9f5c2791c045dc64fd2671f1a12428a7  9.0/SRPMS/rxvt-2.7.8-6.1mdk.src.rpm
 Mandrake Linux 9.1:
 b61a5f2f75abc1a79f4d0fe018f2514d  9.1/RPMS/rxvt-2.7.8-6.1mdk.i586.rpm
 a24cf18f487ff38e6408c01127969575  9.1/RPMS/rxvt-CJK-2.7.8-6.1mdk.i586.rpm
 d119f8e23a4dac83978ca0c428399c4d  9.1/RPMS/rxvt-devel-2.7.8-6.1mdk.i586.rpm
 9f5c2791c045dc64fd2671f1a12428a7  9.1/SRPMS/rxvt-2.7.8-6.1mdk.src.rpm
 Mandrake Linux 9.1/PPC:
 1bbeab988e538c55666a1f2726d85c0e  ppc/9.1/RPMS/rxvt-2.7.8-6.1mdk.ppc.rpm
 393ec897551da4adb184b2f87cd080b0  ppc/9.1/RPMS/rxvt-CJK-2.7.8-6.1mdk.ppc.rpm
 24cfc70d092a405f2b34f43e277b86b1  ppc/9.1/RPMS/rxvt-devel-2.7.8-6.1mdk.ppc.rpm
 9f5c2791c045dc64fd2671f1a12428a7  ppc/9.1/SRPMS/rxvt-2.7.8-6.1mdk.src.rpm
______________________________________________________________________
Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
______________________________________________________________________
To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.
If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".  A list of
FTP mirrors can be obtained from:
  http://www.mandrakesecure.net/en/ftp.php
Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:
  rpm --checksig <filename>
All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team from:
  https://www.mandrakesecure.net/RPM-GPG-KEYS
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrake Linux at:
  http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:
  http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
  security_linux-mandrake.com
Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
______________________________________________________________________
                Mandrake Linux Security Update Advisory
______________________________________________________________________
Package name:           openssl
Advisory ID:            MDKSA-2003:035
Date:                   March 25th, 2003
Affected versions:      7.2, 8.0, 8.1, 8.2, 9.0, 9.1,
                        Corporate Server 2.1,
                        Multi Network Firewall 8.2,
                        Single Network Firewall 7.2
______________________________________________________________________
Problem Description:
 Researchers discovered a timing-based attack on RSA keys that OpenSSL 
 is generally vulnerable to, unless RSA blinding is enabled.  Patches 
 from the OpenSSL team have been applied to turn RSA blinding on by 
 default.
 
 An extension of the "Bleichenbacher attack" on RSA with PKS #1 v1.5 
 padding as used in SSL 3.0 and TSL 1.0 was also created by Czech 
 cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa.  This 
 attack requires the attacker to open millions of SSL/TLS connections to 
 the server they are attacking.  This is done because the server's 
 behaviour when faced with specially crafted RSA ciphertexts can reveal 
 information that would in effect allow the attacker to perform a single 
 RSA private key operation on a ciphertext of their choice, using the 
 server's RSA key.  Despite this, the server's RSA key is not 
 compromised at any time.  Patches from the OpenSSL team modify SSL/TLS 
 server behaviour to avoid this vulnerability.
______________________________________________________________________
References:
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0147
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131
  http://www.openssl.org/news/secadv_20030317.txt
  http://www.openssl.org/news/secadv_20030319.txt
  http://eprint.iacr.org/2003/052/
  http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
______________________________________________________________________
Updated Packages:
  
 Corporate Server 2.1:
 1f97f51fc7844e5f6802e3aa6ca74791  corporate/2.1/RPMS/openssl-0.9.6i-1.4mdk.i586.rpm
 d040d1e5d74236246dc6e704bb2203f3  corporate/2.1/RPMS/libopenssl0-0.9.6i-1.4mdk.i586.rpm
 2f97c2eb1dfcc103ee9d9b7bc0da1ce6  corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.4mdk.i586.rpm
 8ced8d0418a91356f5ca9cb0c92ed13c  corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.4mdk.i586.rpm
 af0095b439927a91290dd7042ee5628b  corporate/2.1/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm
 Linux-Mandrake 7.2:
 2456e38a9b1cb8a7a417ce813722d359  7.2/RPMS/openssl-0.9.5a-9.5mdk.i586.rpm
 25570e4332467ed6b9b66f7b83b98a5f  7.2/RPMS/openssl-devel-0.9.5a-9.5mdk.i586.rpm
 b81d7f132522e14f3ff3c72084ff598d  7.2/SRPMS/openssl-0.9.5a-9.5mdk.src.rpm
 Mandrake Linux 8.0:
 81d9b10942d49d2f9ced14e3a71424fd  8.0/RPMS/openssl-0.9.6i-1.3mdk.i586.rpm
 606e4b4e4e3b616bed2010853e53d51d  8.0/RPMS/openssl-devel-0.9.6i-1.3mdk.i586.rpm
 3b74a6605f4432dbe0edde40aa3dcadb  8.0/SRPMS/openssl-0.9.6i-1.3mdk.src.rpm
 Mandrake Linux 8.0/PPC:
 cdcb83e78a92995f41abc3cb609a3c1a  ppc/8.0/RPMS/openssl-0.9.6i-1.3mdk.ppc.rpm
 4ab4f18f118d908b25582c448b36e8ef  ppc/8.0/RPMS/openssl-devel-0.9.6i-1.3mdk.ppc.rpm
 3b74a6605f4432dbe0edde40aa3dcadb  ppc/8.0/SRPMS/openssl-0.9.6i-1.3mdk.src.rpm
 Mandrake Linux 8.1:
 b2ec1909cd8d4b545f400dfdd8dd21b8  8.1/RPMS/openssl-0.9.6i-1.4mdk.i586.rpm
 a5958222e4b56b28310b433a4cbf404c  8.1/RPMS/libopenssl0-0.9.6i-1.4mdk.i586.rpm
 f320b1015cf36d96e7112b422eaac247  8.1/RPMS/libopenssl0-devel-0.9.6i-1.4mdk.i586.rpm
 0ac93e28e8ea7961271fb1347bce45c0  8.1/RPMS/libopenssl0-static-devel-0.9.6i-1.4mdk.i586.rpm
 af0095b439927a91290dd7042ee5628b  8.1/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm
 Mandrake Linux 8.1/IA64:
 e5bf45db5e39cabb968f67714fed5dc7  ia64/8.1/RPMS/openssl-0.9.6i-1.4mdk.ia64.rpm
 c980bab7c8b6ca490b10320c0627b8c8  ia64/8.1/RPMS/libopenssl0-0.9.6i-1.4mdk.ia64.rpm
 7cc714df2377bf7e829e0b3c4beca86e  ia64/8.1/RPMS/libopenssl0-devel-0.9.6i-1.4mdk.ia64.rpm
 132dafc5478b2d29ccbe00db9cdf4e23  ia64/8.1/RPMS/libopenssl0-static-devel-0.9.6i-1.4mdk.ia64.rpm
 af0095b439927a91290dd7042ee5628b  ia64/8.1/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm
 Mandrake Linux 8.2:
 dda78cd11a20595e53312afc653fac9f  8.2/RPMS/openssl-0.9.6i-1.4mdk.i586.rpm
 4a7cd0178f82443f809cb38891582175  8.2/RPMS/libopenssl0-0.9.6i-1.4mdk.i586.rpm
 74b935ecd6879032ac68b5b44ad5c561  8.2/RPMS/libopenssl0-devel-0.9.6i-1.4mdk.i586.rpm
 98c8aea58c05af35f8332cb41bd270af  8.2/RPMS/libopenssl0-static-devel-0.9.6i-1.4mdk.i586.rpm
 af0095b439927a91290dd7042ee5628b  8.2/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm
 Mandrake Linux 8.2/PPC:
 2473c3a4fa6d6590ba1cc159db8ed340  ppc/8.2/RPMS/openssl-0.9.6i-1.4mdk.ppc.rpm
 d1305bcf73666db63baebed6804b8a6c  ppc/8.2/RPMS/libopenssl0-0.9.6i-1.4mdk.ppc.rpm
 64f4c5e2c6208a391672a4402928200f  ppc/8.2/RPMS/libopenssl0-devel-0.9.6i-1.4mdk.ppc.rpm
 54d6290be283a0c38e54158db6a97474  ppc/8.2/RPMS/libopenssl0-static-devel-0.9.6i-1.4mdk.ppc.rpm
 af0095b439927a91290dd7042ee5628b  ppc/8.2/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm
 Mandrake Linux 9.0:
 1f97f51fc7844e5f6802e3aa6ca74791  9.0/RPMS/openssl-0.9.6i-1.4mdk.i586.rpm
 d040d1e5d74236246dc6e704bb2203f3  9.0/RPMS/libopenssl0-0.9.6i-1.4mdk.i586.rpm
 2f97c2eb1dfcc103ee9d9b7bc0da1ce6  9.0/RPMS/libopenssl0-devel-0.9.6i-1.4mdk.i586.rpm
 8ced8d0418a91356f5ca9cb0c92ed13c  9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.4mdk.i586.rpm
 af0095b439927a91290dd7042ee5628b  9.0/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm
 Mandrake Linux 9.1:
 288774348383b48d7df2aab9a0880bca  9.1/RPMS/openssl-0.9.7a-1.1mdk.i586.rpm
 0c74aa06e11cebfd819f791bcc4273d5  9.1/RPMS/libopenssl0-0.9.6i-1.1mdk.i586.rpm
 2b55957ae61d7358f285c9c0367faaaa  9.1/RPMS/libopenssl0.9.7-0.9.7a-1.1mdk.i586.rpm
 21742fc79ee8127df48c2ac8e442dd9e  9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.1mdk.i586.rpm
 773588cdfb5e60f79bc9fba2c519e558  9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.1mdk.i586.rpm
 0b94e67c6e3e1bc3401a527094bc00de  9.1/SRPMS/openssl-0.9.7a-1.1mdk.src.rpm
 b95b94b3edb0c6a1a7c1e8d3d1f028fa  9.1/SRPMS/openssl0.9.6-0.9.6i-1.1mdk.src.rpm
 Mandrake Linux 9.1/PPC:
 00f6efe10d3d5b6a0190ccd5498c09e5  ppc/9.1/RPMS/openssl-0.9.7a-1.1mdk.ppc.rpm
 622128e23bbe2e34c90bd4ee27384621  ppc/9.1/RPMS/libopenssl0-0.9.6i-1.1mdk.ppc.rpm
 8398460586e2e2551db62d7206bdc9db  ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.1mdk.ppc.rpm
 ccc5f5eb95404a3f114dbe486d466350  ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.1mdk.ppc.rpm
 cfcfacd4af2fcd34afa32d9494e81277  ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.1mdk.ppc.rpm
 0b94e67c6e3e1bc3401a527094bc00de  ppc/9.1/SRPMS/openssl-0.9.7a-1.1mdk.src.rpm
 b95b94b3edb0c6a1a7c1e8d3d1f028fa  ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.1mdk.src.rpm
 Multi Network Firewall 8.2:
 dda78cd11a20595e53312afc653fac9f  mnf8.2/RPMS/openssl-0.9.6i-1.4mdk.i586.rpm
 4a7cd0178f82443f809cb38891582175  mnf8.2/RPMS/libopenssl0-0.9.6i-1.4mdk.i586.rpm
 af0095b439927a91290dd7042ee5628b  mnf8.2/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm
 Single Network Firewall 7.2:
 2456e38a9b1cb8a7a417ce813722d359  snf7.2/RPMS/openssl-0.9.5a-9.5mdk.i586.rpm
 b81d7f132522e14f3ff3c72084ff598d  snf7.2/SRPMS/openssl-0.9.5a-9.5mdk.src.rpm
______________________________________________________________________
Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
______________________________________________________________________
To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.
If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".  A list of
FTP mirrors can be obtained from:
  http://www.mandrakesecure.net/en/ftp.php
Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:
  rpm --checksig <filename>
All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team from:
  https://www.mandrakesecure.net/RPM-GPG-KEYS
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrake Linux at:
  http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:
  http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
  security_linux-mandrake.com
Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.